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In te application of; 

Hinchliffeetal. 
Application No, 10/028.412 
Filed: December 21. 2001 



For DESKTOP SECURITY IN PEER-TO-PEER 
NETWORKS 



Art Unit: 2143 
Examiner: Dennison, Jerry B. 
Date: October 13, 2005 



Commissioner for Patents 
P.O. Box 1450 
Alexandria. VA 22313-1450 

ATTENTION: Board of Patent Appeals and Interferences 

APPEAL BRIEF (37 CF,R. § 41.37) 

This brief is in flirttierance of the Notice of Appeal, filed in this case on September 13, 
2005. 

The fees required under §1.17, and any required petition for extension of time for filing 
this brief and fees therefore, are dealt with in the accompanying TRANSMITTAL OF 
APPEAL BRIEF. 

This brief contains these items under the following headings, and in the order set forth 
below (37 CJP.R. § 41.37(c)(i)): 

I REAL PARTY IN INTEREST 

n RELATED APPEALS AND INTERFERENCES 

m STATUS OF CLAIMS 

IV STATUS OF AMENDMENTS 

V SUMMARY OF CLAIMED SUBJECT MATTER 

VI GROUNDS OF REJECTION PRESENTED FOR REVIEW 
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Vn ARGUMENTS 

Vm APPENDIX OF CLAIMS INVOLVED IN THE APPEAL 

IX APPENDIX LISTING ANY EVIDENCE RELIED ON BY THE APPELLANT 

IN THE APPEAL 

The final page of this brief bears the practitioner's signature. 
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I REAL PARTY IN INTEREST (37 CJPA. § 41.37(cKl)(i)) 
The real parTjr in Interest in this appeal is McAfee. Inc. 
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n RELATED APPEALS AND INTERIXRENCES (37 C.F.lt § 41.37(c) (IXK)) 

With respect to other prior or petiding appeals, interferences, or related judicial 
proceedings that will directly affect, or be directly affected by, or have a liearmg on the 
Board's decision in the pending ^peal, there are no other such appeals, interferences^ or 
related judicial proceedings. 

Since no such proceedings exists no Related Proceedings Appendix is appended hereto. 
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m STATUS OF CLAIMS (37 C.F.It § 41 J7(c) (l)(ni)) 

A. TOTAL NXMBER OF CLAIMS IN APPLICATION 

Claims in the application are: 1, 2, 4, 3. 7. 9-16, IS, 19, 21, 23-30, 32. 33, 35. and 37 - 
49 

B. STATUS OF ALL THE CLAIMS IN APPLICATION 

1 . Claims withdrawn firom consideration: None 

2. Claims pending: 1, 2, 4, 5, 7, 9-16, 18, 19, 21. 23-30, 32, 33, 35, and 37 - 49 

3. Claims allowed: None 

4. Claims rejected: 1, 2, 4, 5, 7, 9-16. 18. 19, 21. 23-30, 32, 33, 35, and 37 - 49 
C CLAIMS ON APPEAL 

The claims on appeal are: 1, 2, 4. 5, 7, 9-16, 18, 19, 21, 23-30, 32, 33, 35, and 37 - 49 

See additional status information in the Appendix of Claims. 
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IV STATUS OF AMENDMENTS (37 C.F.R. § 41.37(eXl)(lY)) 

As to the status of any amendment filed subsequent to final rejection, an amendment 
was filed August 3, 2005. In the Advisory Action dated August 25, 2005, the Examiner 
did not enter such amendment because new issues were raised which would require 
fiirther search and consideration. 
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V SUMMARY OF CLAIMED SUBJECT MATTER (37 CP,R, § 4L37(c)(l)(v)) 

With respect to a summary of Claim 1 et al, as shown in Figure 2, a computerized 
method is provided which monitors a peer-to-peer network for suspicious activity 
based on patterns of activity (e.g. item 200 of Figure 2), An action associated with a 
particular pattern Is performed when the particular pattern is detected in the peer-to- 
peer network (e.g. item 207 of Figure 2). Also, the peer-to-peer network permits 
peers to connect and operate substantially without a server by utilizing the server, at 
most, for providing addresses for the peers in the peer-to-peer network. 
Furthermore^ a pattern of activity is defined in terms of a configuration of shared 
data on a peer, where the configuration establishes a baseline of authorized shares 
and permissions in association with the shared data. In use, the monitoring of the 
peer-to-peer network comprises evaluating a change with respect to the shared data 
on a peer In the peer-to-peer network, where the change is made with respect to the 
baseline. Note paragraph [002 1] on page 9 - paragraph (0023J on page 1 0, for 
example. 
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VI GROUNDS OF REJECTION PRESENTED FOR REVIEW 
(37 CF.R. § 41.37(cXl)(vi)) 

Following, under each issue listed, is a concise statement setting forth the corresponding 
ground of rejection. 

Issue #1 : The Examiner has rejected Claims 1, 15, 29, 45 and 48 under 35 U.S.C. 1 12, 
second paragraph, as being indefinite for failing to particularly point out and distinctly 
claim the subject matter which appellant regards as the invention. 

Issue #2: The Examiner has rejected Claims 1, 2, 5, 11, 15, 16, 19, 25, 30, 33, 39 and 
45-49 under 35 U.S.C. 103(a) as being unpatentable over Welch, Jr. et al., U.S. Patent 
No. 5,862,335, in view of Meadway et al.. U.S. Patent No. 6,675,205. 

Issue #3 : The Examiner has regected Claims 4. 7, 9, 1 0, 12-14, 1 8, 21 , 23, 24, 26-28, 32, 
35, 37, 38 and 40-44 under 35 U.S.C. 103(a) as being unpatentable over Welch, Jr. et 
al., U.S. Patent No. 5,862,335, in view of Meadway et aL. U.S. Patent No. 6,675,205, ui 
further view of Conklhi et al., U.S. Patent No. 5,991,881. 
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Vn ARGUMENTS (37 CF JEL § 4137(c)(lXvn)) 

The claims of the groups noted below do not stand or fall together. In the present 
section, appellant explains why the dahns of each group are believed to be separately 
patentable. 

Issue #1: 

The Exammer has rejected Claims 1, 15, 29, 45 and 48 under 35 U.S.C. 1 12, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the 
subject matter which appellant regards as the invention. 

Group • Claims /, 15 and 29 

The Examiner has stated that it is unclear to the Examiner what "and operate 
substantially" means. The Examiner has also stated that it is unclear as to what is 
required by the server and that using the server for anything is an option. However, 
appellant respectfbUy asserts that the clmm language in the foregoing claims expressly 
states that 'the peer4o-peer network permits peers to connect and operate substantially 
without a server bv utilizing the server, at most, for providing addresses for the peers in 
the peer-to-peer network^ (emphasis added). Thus, the peers, at most use the server for 
providing addresses for the peers in the peer-to-peer networlc 

Group #2: Claim 45 

The Examiner has stated tiiat it is unclear what the clahn language means, what is taking 
action and what action is taken. Appellant respectfully asserts the " share configuration 
loop is executed to. ..take action as a function of a type of the changes'' (emphasis 
added). Appellant further asserts that die actual action taken i$ not claimed and would 
unduly limit such claim. 

Group #J; Claim 48 
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The Examiner has stated that it is unclear why the configuration loop examines against a 
previously recorded share configuration. Appellant respectfully asserts that claiming a 
reason why 'the share configuration loop examines a cxirrent share configuration against 
a previously recorded shared configuration*^ would unduly limit such claim by limiting 
the function to a claimed purpose. 

Issue #2: 

The Examiner has rejected Claims h 2> 5, 11,15, 16, 19, 25, 29, 30, 33, 39 and 45^9 
under 35 U.S.C. 103(a) as being unpatentable over Welch. Jr. et al., U.S. Patent No. 
5,862.335, in view of Meadway et al., U-S. Patent No. 6,675,205. 

Group Claims /. 2, 15, 16, 29 and 30 

It is noted that the Examiner has attempted to interpret appellant's claimed peer-to- 
peer network to refer to, for ^cample, any client and server communications. 
Appellant respectfiiUy disagrees with this interpretation, especially m view of the 
previous amendments which require that "the peer-to-peer networic permits peers to 
connect and operate substantially without a server by utilizing the server, at most, 
for providing addresses for the peers in the peer-to-peer networlc.^ 

The Examiner has relied on the following excerpts fi-om Meadway to make a prior 
art showing of appellant's claimed '•performing an action associated with a 
particular pattern when the particular pattern is detected in the peer-to-peer network" 
(see this or similar, but not identical language in each of the foregoing claims). 

''E3q>andizig on the above concepts, che Invented system is a 
service whioh perforins centralized searches based on Index 
information transmitted by peer syBtems to the central site 
usln^ an ag^ent program running^ on each peer, and then directs 
the peer systems to each other for the purpose of retrieving 
files." (Col. 1, lines 4S-S2-emphasis added) 

""..the file is sent by the syscem containing the file either to 
the central site or directly to the user Who requested the 
file via email attachment." (Col. 1, lines 63-65) 
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"agent program downloaded and installed by each peer system 
user. This agent program is described in detail in pending 
U.S. patent application Ser. Nos . 09/419,405, U.S. Pat. No. 
6.516,337, and 09/575,971, filed May 23, 2000, by the same 
inventors which are hereby incorporated by reference. The 
indexing process on each system may be initiated manually or 
on a scheduled basis, with updates transmitted whenever the 
user connects to the central service." (Col. 2, lines 1-10) 

Appellant respectfully asserts that the excerpts relied on by the Examiner simply 
relate to "direct[ing] the peer systems to each other for the purpose of retrieving 
files" (see emphasized excerpt above), In no way do such excerpts teach appellant^s 
specific claim language^ namely "performing an action associated with a particular 
pattern when the particular pattern is detected..." (emphasis added), especially when 
read in the context of the remaining claim language where ^ ^suspicious activity [is 
monitored] based on [the] patterns of activity" (emphasis added). Clearly, only 
generally directing peer systmis to each other^ as in Meadway, does not meet 
''performing an action associated with a particular pattern" where such monitoring is 
with re$pect to ''suspioions activity," in the context claimed by appellant 

The Examiner has also relied on die above cited excerpts to make a prior art 
showing of appellant's claimed technique ^'wherein a pattern of activity is defined in 
terms of a configuration of shared data on a peer, the configuration establishing a 
baseline of authorized shares and pemiissions in association with the shared data." 
Appellant respectfully asserts that that nowhere in the above excerpts is there even 
any mention of defining the pattem of activity **in terms of a configuration of shared 
data on a peer, the configuration establishing a baseline of authorized shares and 
permissions in association with the shared data. " as claimed by appellant (emphasis 
added). 

Instead^ Meadway simply teaches that "index information [is] transmitted by peer 
systems to the central site using an agent program running on each peer, and 
then. . .the peer systems [are directed] to each other for the purpose of retrieving 
files" (see excerpts above). Appellant notes that such indexed information relates to 
the "contents of the files" (see Col. 2, linel 5), and therefore, no baseline of 
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authorized shares and pcnnissions is established in Meadway, in the context claimed 
by appellant 

The Examiner has again relied on the above cited excerpts to make a prior art 
showing of appellant's claimed technique 'Svherein monitoring a peer-to-pecr 
network comprises evaluating a change with respect to the shared data on a peer in 
the peer-to-peer network, the change being made with respect to the baseline.** 
Appellant asserts that such excerpts yet again fail to teach ** evaluatlng a change with 
respect to the shared data on a peer in the peer-to-peer network, the change beinp 
made with respect to the baseline^ " as claimed by appellant (emphasis added). In the 
excerpts above, Meadway discloses that ""updates [are] transmitted whenever the 
user connects to tiie central service." However, such updates relate to the indexing 
process^ as disclosed in the excerpts above, and not ""evaluating a change. , .with 
respect to the baseline" where such baselme is of ""authorized shares and permissions 
in association with the shared data,'? as claimed by appellant. 

To establish ^ prima facie case of obviousness, three basic criteria must be met 
Fbst, there must be some suggestion or motivation, either in the references 
themselves or in the knowledge generally available to one of ordinary skill m the art. 
to modify the reference or to combine reference teachings. Second, there must be a 
reasonable expectation of success. Finally, the prior art reference (or references 
when combined) must teach or suggest all the claim limitations. The teaching or 
suggestion to make the claimed combination and the reasonable expectation of 
success must both be found in the prior art and not based on appellant's disclosure. 
In re Vaeck,947 F.2d488, 20 USPQ2d 1438 (Fed,Cir.l991). 

Appellant respectfully asserts that at least the third element of die prima facie case 
of obviousness has not been met, since the prior art references, when combined, fail 
to teach or suggest all of the claim limitations^ as noted above. Thus, a notice of 
allowance or a specific prior art showing of gll of appellant's claim limitations, in 
combination with the remaining claim elements, is respectfiilly requested. 

Group §2: Claims 5, J 9 and 33 
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The Examiner has relied on Col. 3, lines 25-30 and 45-50 in Welch to make a prior 
art showing of appellant's claimed '"pattern of activity [that] is defined hi terms of 
network trafiRc in the peer-to-peer network that uses a specific protocol." Appellant 
notes, however, that such excerpts from Welch only generally disclose "analyz[in8] 
logical connections and file transfers, . .by examining the information of layers 2,3, 
and 4*' where '^protocol control information 42 [is] available in layers 2, 3. 4 and 7 
of a packet." Only generally examining protocol control infonnation, however, does 
not meet appellant's claimed "pattern of activity^, let alone "a pattern of activity 
[that] is defined in terms of network traffic. . .that uses a specific protocol " (emphasis 
added). 

Again, appellant respectfully asserts that at least the third element of the prima facie 
case of obviousness has not been met> smce the prior art references, when combined, 
fi^l to teach or suggest §ti of the claim limitations^ as noted above. 

Grotp #3: Claims 11 25 and 39 

The Examiner has relied on the following excerpt from Welch to make a prior art 
showing of appellant's claimed technique Vherein the patterns of activity are local 
to a peer in the peer-to-peer network." 

"...a copy of the revised connection record 93 to the archive, 
This allows dynamic display of connection activity. Analysis 
of the packet complete, CMB d3 branches co etep 204. 

Thua, methods of monitoring both local coimectione and file 
transfers in a computer network have been described.'' (Col. 
10« lines 5-10) 

Appellant respectfully asserts that such excerpt merely discloses **monitoring. . .local 
connections and file transfers." Clearly, mere local connections do not meet 
appellant's claimed "patterns of activity fthatl ar e local to a peer in the peer-to-peer 
network'' (emphasis added). 
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Again, appellant respectfully asserts that at least the third element of the pnma facie 
case of obviousness has not been met, since the prior art references, when combined, 
fail to teach or suggest all of the claim limitations^ as noted above. 

Group #4: Claim 45 

The Examiner has relied on the following excerpt from Meadway to make a prior ait 
showing of appellant's claimed '"wherein a share configuration loop is executed to 
detect changes to shares and corresponding permissions, and take an action as a 
function of a type of the changes." 

^.,agent program downloaded and installed by each peer system 
user. This agent program is described in detail in pending 
U.S. patent application Ser. Nos. 09/419,405, U.S. Pat. No. 
6,516,337f and 09/575,971, filed May 23, 2000, by the same 
inventors which are hereby incorporated by reference. The 
indexing proceed on each system may be initiated manually or 
on a scheduled baeis, with updates transmitted whenever the 
user conneccs to the central service. 

The agent ia also responsible for transmitting copies of the 
requested file to the systems whose requests are waiting..," 
(Col. 2, lines 1-10) 

Appellant respectfully asserts that the agent program disclosed in Meadway is 
simply associated whh the indexing process where the index is of "^the contents of 
the files" on peers (see Col. 2, lines 14-1 S). Simply nowhere in Meadway is there 
even any mention of a ^ ^share configuration loop Tthat] is executed to detect changes 
to shares and coiresnonding permissions, and take an action as a ftrnction of a typ e 
of the change, " as claimed by appellant (emphasis added). 

Again, appellant respectfiiUy asserts that at least the third element of the prima facie 
case of obviousness has not been met, since the prior art references, when combined, 
fail to teach or suggest all of the claim limitations, as noted above. 

Group #5; Claim 46 
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The Examiner has again relied on Col. 2, lines MO of Meadway to make a prior art 
showing of appellant's claimed technique 'Vherein the share configuration loop Is 
executed dynamically." Appellant respectfully asserts that such excerpt along with 
the entire Meadway reference fail to meet appellant's claimed "share configuration 
loop," and thus also cannot meet the instant claim language further describing the 
claimed share configuration loop. Again, appellant respectftilly asserts that the 
agent program disclosed in Meadway is merely associated with the indexing process 
where the index is of "the contents of the files'* on peers (see Col. 2, lines 14-15). 
Simply nowhere in Meadway is there even any mention of a '' share configuration 
loop [that] is executed dv namicaHy /' as claimed by appellant (emphasis added). 

Again, appellant respectfully asserts that at least the third element of the prima facie 
case of obviousness has not been met| since the prior art references^ when combined^ 
fail to teach or suggest ill of the claim lunitations, as noted above. 

Group #6: Claim 47 

The Examiner has again relied on Col. 2, lines 1-10 of Meadway to make a prior art 
showing of appellant's claimed technique ^'wherein the share configuration loop is 
executed on a schedule." Appellant respectfuUy asserts that such excerpt along with 
die entire Meadway reference fiail to meet appellant's claimed "share configuration 
loop'' and thus also cannot meet the instant claim language further describing the 
claimed share configuration loop. Again, appellant respectfully asserts that the 
agent program disclosed in Meadway is merely associated with the indexing process 
where the index is of ''the contents of the files" on peers (see Col. 2. lines 14-15). 
Simply nowhere in Meadway is there even any mention of a "share configuration 
looE [that] is executed on a schedule, " as claimed by appellant (emphasis added). 

Again, appellant respectfully asserts that at least the third element of the prima facie 
case of obviousness has not been met, since the prior art references, when combined, 
fail to teach or suggest ail of the claim limitations, as noted above. 

Groig> 47: Claim 48 
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The Examiner has again relied on Co). 2» lines NIO of Meadway to make a prior art 
showing of appellant's claimed technique **wherein the share configuration loop 
examines a current share configuration against a previously recorded shared 
configuration Appellant respectfully asserts that such excerpt along with the 
entire Meadway reference fail to meet appellant's claimed "share configuration 
loop" and thus also cannot meet the instant claim language further describing the 
claimed share configuration loop. Again, appellant respectfully asserts that the 
agent program disclosed in Meadway is merely associated with the indexmg process 
where the index is of "the contents of the files*' on peers (see Col. 2, lines 14-15). 
Simply nowhere in Meadway is there even any mention of a "share configuration 
loop [that] examines a current share confipuration against a previously recorded 
shared configuration," as claimed by appellant (emphasis addecO^ 

Again, appellant respectfully asserts that at least the third element of the prima facie 
case of obviousness has not been met, since the prior art references, when combined, 
fail to teach or suggest aU of the claim limitations, as noted above. 

Grotq^ §8: Claim 49 

The Examiner has yet again relied on Col. 2, lines 1-10 along with Col. 2 lines 35- 
41 in Meadway to make a prior art showing of appellant*s claimed technique where 
"if the change includes an attempt to un-share a file or dh-ectory, the action includes 
a log entry." Appellant asserts that such excerpts do not teach any sort of "attempt 
to un-share a file or directory" as claimed by appellant, but instead only disclose 
indexing the contents of files and an "agent that reports to the central server the 
identities of files on the computer that will be provided if requested by others,*' In 
addition, such excerpts also fail to teach "a log entry*" action if a change is made 
with respect to un-sharing a file or directory, in the manner claimed by appellant. 

Again, appellant respectfully asserts that at least the third element of the prima facie 
case of obviousness has not been met, since the prior art references, when combined, 
&il to teach or suggest all of the claim limitations, as noted above. 
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Issue #3: 

The Examiner has rejected Claims 4, 7, 9, 10, 12-14, 18, 21. 23, 24, 26-28, 32, 33, 
37, 38 and 40-44 under 35 U.S.C, 103(a) as being unpatentable over Welch, Jr. et 
al., U.S. Patent No. 5,862,335, in view of Meadway et al., U.S. Patent No. 
6,675,205, in further view of Conklin et al., U.S. Patent No. 5,991,881 . 

Group #7; Claims 4, 10, 12, 18, 24, 26, 32. 38 and 40-42 



Appellant respectfully asserts that such claims are not met by the prior art for die 
reasons argued with respect to Issue #1, Group Ml, 



Again, appellant respectfully asserts that at least the third element of the prima facie 
case of obviousness has not been met» smoe the prior art references, when combined, 
fail to teach or suggest §11 of the claim limitations, as noted above. 



Groiip #2: Claims 7, 21 and 33 



The Exammer has relied on the following excerpt from Conklin to make a prior art 
showing of appellant's claimed "pattern of activity [that] is defined in terms of 
network traffic in the peer-to-peer network having a foreign address.*' 



^WUen a packet or accumulation of pack&t^ natch a predefined 
intrusion profile the Xntruaion Detection function identifies 
the network traffic as a reportable activity will cocstruct a 
data structure which containg a date/time stamp indicating the 
time of detection, the souroe and destination Internet 
Protocol (IP) addresses, an assigned message identifying the 
event detected. This data structure id passed to the Alert 
Notification function for processing, when a positive 
identification of a reportable activity occurs, the entire 
triggering packet (s> may be written to a log file created in 
the Rvidenqe Logging function," (Col. S, lines 2S-35-einphasis 
added) 

Appellant respectfiilly asserts that the above excerpt &om Conklin only leaches that 
"[when] a packet or accumulation of packets match a predefined intrusion profile 
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[then] a data structure [will be constructed] which contains.. .the source and 
destination., .addresses'* (see emphasized excerpt above). Thus, the pattern of 
activity in Conklin is not taught to be "defined m terms of network traffic. . .having a 
foreign address," as claimed by appellant, but instead only general source and 
destination addresses are reported aftgt the match is made. 

Again, appellant respectfully asserts that at least the third element of the prima facie 
case of obviousness bas not been met, since the prior art references^ when combined, 
fail to teach or suggest ail of the claim limitations, as noted above. 

Group M3: Claims 9, 23 and 37 

The Exammer has relied on Col S, lines 33-35 of Conklin, as excerpted above, to 
make a prior ait showing of appellant's claimed technique ^Svherein the action 
comprises logging information about the particular pattern." However, appellant 
respectfully asserts that only "the entire triggering paclcet(s) (arej written to a log 
file^' in Conklin (emphasis added), and not "information about the particular 
pattern^ ** as claimed by E^spellant (emphasis added). 

Again, appellant respectfully asserts that at least the thkd element of the prima facie 
case of obviousness has not been met, since the prior art references, when combined, 
fail to teach or suggest sU of the claim limitations, as noted above. 

Group M: Claims J3, 27and43 

The Examiner has relied on Col. 4, lines 45-55 in Conklin to make a prior art 
showing of appellant's claimed "obtaining a set of rules specifying the patterns of 
activity and associated actions.'' Appellant notes, however, that the above excerpt in 
Conklin completely fails to even mention "a set of rules specifying the patterns of 
activit y and associated actions, " as claimed by appellant (emphasis added). In fact, 
even the Examiner, in his rejection, states that "Conklin disclosed obtaining pre- 
stored patterns of activity in a database," but fails to address any "associated 
actions*' as in appellant's claim language. 
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Again, appellant respectflilly ass^ that at least tiic third element of the prima facie 
case of obviousness has not been met, since the prior art references, when combined, 
fail to teach or suggest all of the claim limitations, as noted above. 

Group #5; Claims 14, 28 and 44 

The Examiner has relied on the following excerpt fh)m Conklin to make a prior art 
showing of appellant's claimed "refreshing the set of rules when the set of rules 
changes." 

'*the IntrueJLon Detection fuxicbion examined the data in 
comparison to a series o£ predefined or learned patterns which 
are pre-stored or developed from data received from the 
network . 

In the preferred embodiment, the networJc data is compared to a 
database of known patterns." (Col. 4/ lines 48-$2) 

Appellant respectfully asserts that the above excerpt merely discloses comparing 
'the data. . .to a series of predefined or learned patterns which are pre-stored." 
However, nowhere in such exceqrt or the entire Conklin reference Is there any 
suggestion of ^' refreshing the set of rules when the set of rules changes,'* as clafaned 
by appellant (emphasis added). 

Again, appellant respectfully asserts that at least Ac third element of the prima facie 
case of obviousness has not been met, since the prior art references, when combined, 
fail to teach or suggest all of the claim limitations, as noted above. 

In view of the reniarlcs set fotth hereinabove, all of the independent claims are deemed 
allowable, along with any clidms depending therefrom. 
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Vm APPENDIX OF CLAIMS (37 CXR. § 41.37(cXl)(vlU)) 

The text of the claims involved in the appeal (along with associated status information) 
is set forth below: 

1 . (Previously Presented) A computeiized method comprising: 
monitoring a peer-to-peer network for suspicious activity based on patterns 

of activity; and 

performing an action associated with a particular pattern when the particular 
pattern is detected in the peer-to-peer network; 

wherein the peer-to*peer network pennits peers to connect and operate 
substantially without a server by utilizing the server, at most, for providing 
addresses for the peers in the peer-to-pecr netwoik; 

wherein a pattern of activity is defined in terms of a configuration of shared 
data on a peer, the configuration establishing a baseline of authorized shares and 
permissions in association with the shared data; 

wherein monitoring a peer-to-peer network comprises evaluating a change 
with respect to the shared data on a peer in the pecr-to-peer network, the change 
being made with respect to the baseline* 

2. (Original) The computerized method of claim 1 , wherein monitoring a peer- 
to-peer network comprises: 

evaluating network traffic among peers in the peer-to-peer network. 

3. (Cancelled) 
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4. (Original) The computerized method of claim 1, wherein a pattern of activity 
is defined in terms of a threshold value of network traffic in the peer*to-peer 
network. 

5. (OriginaJ) The computerized method of claim 1, wherein a pattern of activity 
is defined in terms of network traffic in the peer-to-peer network tliat uses a specific 
protocol, 

6. (Cancelled) 

7. (Original) The computerized method of claim 1, wherein a pattern of activity 
is defined in terms of network traffic in the peer-to-peer network having a foreign 
address. 

8. (Cancelled) 

9. (Original) The computerized method of claim I , wherein the action 
comprises logging information about the particular pattern. 

10. (Original) The computerized method of claim 1, wherein the action 
comprises sending an alert about the particular pattern. 

1 1 . (Original) The computerized method of claim 1, wherein the patterns of 
activity are local to a peer In the peer-to-peer network. 
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12. (Original) The computerized method of claim 1, wherein the patterns of 
activity are global to the peer-to-peer network. 

13. (Original) The computerized method of claim 1 further comprising; 
obtaining a set of rules speci^g the patterns of activity and associated 

actions. 

14. (Original) The computerized method of claim 13 further comprising: 
refreshing the set of rules when the set of rules changes. 

1 5. (Previously Presented) A computer-readable medium having executable 
instriictions to cause a processor to perform a method comprising: 

monitoring a peer-to-peer networic for suspicious activity^ based on patterns 
of activity; and 

performing an action associated witii a particular pattern when the particular 
pattern is detected in the peer-to^er network; 

wherein the peer-to-peer network permits peers to connect and operate 
substantially without a server by utilizing the server, at most, for providing 
addresses for the peers in the peer-to-peer networlg 

wherein a pattern of activhy is defined in terms of a configuration of shared 
data on a peer» the configuration establishing a baseline of authorized shares and 
permissions in association with the shared data; 

wherein monitoring a peer-to-peer network comprises evaluating a change 
with respect to the shared data on a peer ui the peer-to-peer network, the change 
being made with respect to the baseline. 
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1 6. (Original) The computer-readable medium of claim 1 S, wherein the method 
further comprises: 

evaluating network traffic among peers in the peer-to-peer networic when 
monitoring the peer-to-peer network. 

17. (Cancelled) 

18. (Original) The computernreadable medium of claim 15, wherein a pattern of 
activity is defined in terms of a threshold value of network traffic In the peer-to-peer 
network. 

19. (Original) The computer**readable medium of claim 1 5, wherein a pattern of 
activity is defined in terms of network traffic in the peer-to-peer network that uses a 
specific protocol. 

20. (Cancelled) 

2 1 . (Original) The computer-readable medium of claim 15> wherein a pattern of 
activity is defined ui terms of network traffic in the peer-to-peer network having a 
foreign address. 

22. (Cancelled) 
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23. (Original) The computer-readable medium of claim 15, wherein the action 
comprises logging information about the particular pattern. 

24. (Original) The computer-readable medium of claim 1 5, wherein the action 
comprises sending an al^ about the particular pattern. 

25. (Original) The computer-readable medium of claim IS, wherein the patterns 
of activity are local to a peer in the peer-to-peer netwoilc 

26. (Original) The computer-readable medium of claim 1 5, wherein the patterns 
of activity are global to the pecr-to-peer network. 

27. (Original) The computer-readable medium of claim 15, wherein the method 
further comprises: 

obtaining a set of rules specifying the patterns of activity and associated 

actions. 

28. (Original) Tlie computer-readable medium of claim 27, wherein the method 
further comprises: 

refreshmg the set of rules when the set of rules changes. 

29. (Previously Presented) A system comprising: 

a processor coupled to a memory through a busj 
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a network int6r&(>e coupled to the processoi through the bus and further 
operable to selectively couple to a peer-to-peer network; and 

a peer-to-peer security process executed by the processor from the memory 
to cause the processor to monitor the peer-to-peer network for suspicious activity 
based on patterns of actzvityt and to perform an action associated with a particular 
pattern when the particular pattern is detected in the peer-to-peer network; 

wherein the peer-to-peer network permits peers to connect and operate 
substantially without a server by utihzing the server, ai most» for providing 
addresses for the peers in the peer-to-peer network; 

wherein a pattern of activity is defined in terms of a configuFation of shared 
data on a peer, the cc»ifiguration establishing a baseline of authorized shares and 
permissions in association with the shared data; 

wherein monitoring a peer-to-peer network comprises evaluating a change 
wift respect to the shared data on a peer in the peer-to-peer network, the change 
being made with respect to the baseline, 

30, (Original) The system of claim 29, wherem peer-to-peer security process 
further causes the processor to evaluate network traffic between the peers in the 
peer-to-peer network when monitoring the peer-to-peer network. 

31, (Cancelled) 

32, (Original) Tlic system of claim 29, wherein the peer-to-peer security process 
further causes the processor to monitor the peer-to-peer network for a pattern of 
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activity defined in tenns of a threshold value of network traffic in the peer-to-peer 
network. 

33 . (Original) The system of claim 29, wherein the peer-to-peer security process 
further causes die processor to monitor the peer-to-peer network for a pattern of 
activity defined in terms of network traffic in the peer-to-peer network that uses a 
specific protocol. 

34. (Cancelled) 

35. (Original) The system of claim 29, wherein the peer-to-peer security process 
further causes the processor to monitor the peer-to-peer network for a pattern of 
activity defined in terms of network traffic having a foreign address. 

36. (Cancelled) 

37. (Original) The system of claim 29, wherein the peer-to-peer security process 
further causes the processor to log infomiation about the particular pattern when 
performing the action associated with the particular pattern. 

38< (Original) The system of claim 29, wherein flie peer-to-peer security process 
further causes the processor to send an alert about the particular pattern when 
performing the action associated with the particular pattern. 
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39. (Original) The system of claim 29. wherein the system is a peer in the peei^ 
to-peer network and the patterns of activity are local to the system. 

40. (Original) The system of claim 29, wherein the system is a server in the pear- 
to-peer network and the patterns of activity are global to the peer-^o-peer networic 

41 . (Original) The system of claim 40, wherein the system is a border firewall. 

42. (Original) The system of claim 40, wherefai the system is a domain name 
server. 

43 . (Original) The system of claim 29, wherein the peer-to-peer security process 
further causes the processor to obtain a set of rules specifying the patterns of activity 
and associated actions. 

44. (Original) The system of claim 43, wherein the peer-to-peer security process 
further causes the processor to refresh the set of rules when the set of rules changes. 

45. (Previously Presented) The computerized method of claim 1, wherein a 
share configuration loop is executed to detect changes to shares and corresponding 
permissions, and take action as a fimction of a type of the changes. 

46. (Previously Presented) The computerized method of claim 45, wherein the 
share configuration loop is executed dynamically. 
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47. (Previously Presented) The computerized method of claim 45, wherein the 
share configuration loop is executed on a schedule. 

48. (Previously Presented) The computerized method of claim 45, wherein the 
share configuration loop examines a current share configuration against a previously 
recorded shared configuration. 

49. (Previously Presented) The computerized method of claim 45, wherein, if the 
change includes an attempt to un-share a file or directory, tlie action includes a log 
entry. 
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DC APPENDIX LISTING ANY EVIDENCE REUED ON BY THE APPELLANT 
IN THE APPEAL (37 CJFJR. § 41.37(c)(lKix)) 

There is no such evidence. 
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In the event a telephone conversation would expedite the prosecution of this application, the 
Examiner may reach tte undersigned at (408) 971-2573. For payment of any additional fees due in 
connection with the filing of this paper, the Commissions is authorized to charge such fees to 
Deposit Account No. 50-1351 (Order No. NAI1P344_01.249.01). 



Respectfully submitted 



By:. 




KevinJ.Zilka 
Reg. No. 41,429 

Zilka-Kotab.P, 
P.O. 80x721120 
San Jose, California 95172-1 120 
Telephone: (408) 971-2573 
Facsimile: (408)971-4660 
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